tags:

views:

80

answers:

2
+1  Q: 

Alternative to passing variable info through URLs

I am writing a php/mysql app that uses a few different tables.

Table 1 stores user information (name email etc), Table 2 stores that users widgets, and Table 3 stores those individual widgets' configuration.

The way im doing this now, is Table 1 has an auto increment key that i use to idenfity that specific user. When they access table 2, it creates a row that contains that tables own key ID, as well as a "uid", which is the key id, of that specific user from table 1. When the user wants to set settings for their widgets, in table 3, it stores what i call a "cxid", or config xid, which is the unique widget id from table 2.

The goal of this is to limit what widgets are seen by what users, and the config is used for configuration purposes obviously.

Problem is, that when im calling up an individuals widgets, it passes the uid in the URL. This is obviously a security issue as you can change that and view other people's widgets. But i dont even want anyone to know how this is being done. Is there any way of passing variables between scripts not using URL, but also not using forms?

+5  A: 

Yep, you can use sessions.

Basically, you store all the necessary information about the user to $_SESSION, and retrieve it on each page load.

For instance, on the first page load:

session_start();
$_SESSION['uid'] = 123;

By default, the user would receive a cookie identifying the session, but containing no other information.

On the second page load, you could call:

session_start();
$x = $_SESSION['uid'];
//$x is now 123
//run a query here!

session_start() will read the user's cookie, find the session information (by default stored in a temporary file location) and fill $_SESSION with the information you stored last time you saw them.

zombat  2009-07-26 02:09:45
How long do sessions last? Can i close/clear them when the user logs out or wants to login with a different account?
Patrick  2009-07-26 02:17:26
Yes, close them by issuing a session_destroy() command.
Chacha102  2009-07-26 02:18:00
There is a bug however with the session_destroy, because all data in the $_SESSION variables last until the script is finished executing. I don't find that a problem because I immediately redirect them.
Chacha102  2009-07-26 02:18:58
+2  A: 

It's possible to pass information around between your PHP pages using sessions, but the only way to get the information from the user (ie. which widget/cxid they want to view) is via a form post or the URL, the way you're doing it now.

You really need to do proper checking before displaying the widget the user has asked for.

First, store the userID in a session as zombat has already written.

Then you can do something like:

$result = mysql_query("SELECT cxid, uid FROM table2 WHERE cxid = '42'");
$row = mysql_fetch_row($result);    
if ($_SESSION['uid'] == $row['uid'])
{
    // display widget info
}
else
{
    echo 'Sorry you can only view your own widgets!';
}
lennyk  2009-07-26 02:23:44
many thanks! That is a very straightforward way of accomplishing what im trying to do.
Patrick  2009-07-26 02:28:34

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL